Restoring a McAfee quarantined file

31 August 2015

Learn how to decompress, decrypt and restore the original content of a McAfee .BUP quarantine file.

Introduction

McAfee VirusScan Enterprise quarantined files are stored with the .BUP file extension.If you need to recover the content of the original file for digital forensics or reverse engineering purposes, you can use the Quarantine Manager.

But In some situations you might not be able to restore the .BUP file with the Quarantine Manager.

Quarantine file Structure

Details - This file contains all the details about the quarantine.File_0 - The first original file inside the quarantine file.

Obviously, if this files were only compressed McAfee VirusScan Enterprise would still acknowledge them as a threat to the system.Therefore to make them harmless all the files contained in a .BUP file are encrypted using XOR with a one byte key 0x6A.

Extraction script

To make life easier we developed a small Python script which automate the process of extracting files and information from a .BUP file.